What Evidence Is Requested During SOC 2 Audits?

One of the most common questions our team fields is what kind of evidence is requested for SOC 2 audits?

The type of evidence requested for SOC 2 audits can be grouped into eight main groups based on our experience: New Hires, Terminated Employees, Risk Management, Logical Security, Incident Response, Change Management, Governance and Vendor Management. While the requested evidence changes based on the engagement, common examples for each category are listed below.

New Hires

• Background checks
• Employee handbook acknowledgement
• System access requests/approvals

Terminated Employees

• Access removal requests
• User lists showing account removed/disabled

Risk Management

• Completed risk assessment
• Vulnerability scans and third party penetration testing reports
• Remediation plans for identified risks
• Disaster Recovery testing

Logical Security

• Role-based access
• Super-user/Administrator access restricted appropriately
• Data at rest encryption
• Minimum password requirements
• Anti-virus/patching

Incident Response

• Incident response plan/procedures
• How anomalous activity indicative of security incidents is detected and addressed
• Incident response plan tabletop exercise

Change Management

• Code reviews and testing documentation
• How segregation of duties is maintained
• Emergency change process

Governance

• Information security governance structure
• Annual policy review
• Confirm those charged with infosec governance are formally communicated Information about infosec
• Annual security awareness training

Vendor Management

• Vendor inventory
• Vendor risk classification
• Confirm key vendors are monitored at least annually (i.e. formal review of vendors' SOC 2 reports).

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc. 

About SOC 2 Reports

With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

Schneider Downs SOC Resources

• Schneider Downs SOC FAQs
• Schneider Downs SOC Case Studies
• Schneider Downs SOC Articles